Network Security Checklist - Cisco Layer 3 Infrastructure
Switch
Version 7, Release 1.1
20 November 2007
Developed by DISA for the DOD
UNCLASSIFIED
UNCLASSIFIED UNTILL FILLED IN
CIRCLE ONE
FOR OFFICIAL USE ONLY (mark each page)
CONFIDENTIAL and SECRET (mark each page and each finding)
Classification is based on classification of system reviewed:
Unclassified System = FOUO Checklist
Confidential System = CONFIDENTIAL Checklist
Secret System = SECRET Checklist
Top Secret System = SECRET Checklist
Site Phone Number Email Area of
Name Responsibility
Address
Phone
Position Name
IAM
IAO
Page 2 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0162 V0004622 CAT I AG ingress ACL is not configured to secure enclave
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure premise router interfaces that connect to an AG (i.e., ISP) are configured with an ingress ACL that only
permits packets with destination addresses within the site’s address space.
Vulnerability Any enclave with one or more AG connections will have to take additional steps to ensure that neither their network nor the NIPRNet is
Discussion compromised. Without verifying the destination address of traffic coming from the site’s AG, the premise router could be routing transit
data from the Internet into the NIPRNet. This could also make the premise router vulnerable to a DoS attack as well as provide a
backdoor into the NIPRNet. The DOD enclave must ensure that the premise router’s ingress packet filter for any interface connected to
an AG is configured to only permit packets with a destination address belonging to the DOD enclave’s address block.
Checks
NET AG Ingress
Review the running config of the router that connects to an AG and verify that each permit statement of the ingress ACL is
configured to only permit packets with destination addresses of the site’s NIPRNet address space or that belonging to the
address block assigned by the AG network service provider.
Default Finding AG ingress ACL is not configured to only permit packets with a destination address belonging to the sites address block.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET AG Ingress
Insure the ingress ACL for any interface connected to an AAG is configured to only permit packets with a destination address
belonging to the sites address block.
Notes:
UNCLASSIFIED Page 3 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0164 V0004623 CAT I AG router has a routing protocol to the enclave.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure the premise router does not have a routing protocol session with a peer router belonging to an AS
(Autonomous System) of the AG service provider. A static route is the only acceptable route to an AG.
Vulnerability The premise router will not use a routing protocol to advertise NIPRNet addresses to the AG. Most ISPs use Border Gateway Protocol
Discussion (BGP) to share route information with other autonomous systems (AS), that is, any network under a different administrative control and
policy than that of the local site. If BGP is configured on the premise router, no BGP neighbors will be defined as peer routers from an
AS belonging to any AG. The only method to be used to reach the AG will be through a static route.
Checks
NET AG Routes
Review the configuration of the router connecting to the AG and verify that there are no BGP neighbors whose remote AS
belongs to the AG service provider.
Default Finding The router connecting to an AG is configured to use a routing protocol between the AAG network service provider and the Enclave.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET AG Routes
The only method to be used to reach the AG will be through a static route.
Notes:
NET0166 V0004624 CAT III AG Network IP addresses are advertised in enclave
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure the AG network service provider IP addresses are not redistributed into or advertised to the NIPRNet or any
router belonging to any other Autonomous System (AS) i.e. to another AG device in another AS.
Vulnerability Unsolicited traffic that may inadvertently attempt to enter the NIPRNet by traversing the enclave's premise router can be avoided by not
Discussion redistributing NIPRNet routes into the AG.
Checks
NET AG IP Addresses
Review the configuration of the router connecting to the AG and verify that there are no routes being redistributed into the
enclave from the AG.
Default Finding AG Network Service Providers IP addresses are advertised or redistributed to the NIPRNet.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET AG IP Addresses
Use distribute lists prefix lists to insure AG routes are not redistributed into the NIPRNet BGP or sites IGP (OSPF, EIGRP, RIP,
etc).
Notes:
Page 4 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0167 V0014632 CAT II AG must adhere to PPS boundary 13 and 14 policies
8500.2 IA Control: DCPP-1, ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure the route to the AG network adheres to the PPS CAL boundary 13 and 14 policies and is in compliance with
all perimeter filtering defined in the perimeter and router sections of the Network STIG.
Vulnerability The enclave perimeter requirement for filtering, to include JTF-GNO PPS filtering rules, and monitoring traffic will be enforced for any
Discussion traffic from the AG. All traffic entering the enclave from the AG must enter through the firewall and be monitored by internal IDS. All
traffic leaving the enclave, regardless of the destination--AG or NIPRNet addresses, will be filtered by the premise router's egress filter
to verify that the source IP address belongs to the enclave.
Checks
NET AG PPS policy
The enclave perimeter requirement for filtering, to include JTF-GNO PPS filtering rules, and monitoring traffic will be enforced
for any traffic from the AG. All traffic leaving the enclave, regardless of the destination--AG or NIPRNet addresses, will be
filtered by the premise router's egress filter to verify that the source IP address belongs to the enclave.
Default Finding
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET AG PPS policy
Ensure the perimeter is protected from this path. A deny by default policy is enforced at this connection and the site is in
compliance with all PPS 13 and 14 boundaries.
Notes:
NET0190 V0003005 CAT III LAN addresses are not protected from the public.
8500.2 IA Control: EBBD-1, EBBD-2, EBBD-3, ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure that workstation clients’ real IPv4 addresses are not revealed to the public by implementing NAT on the
firewall or the router.
Vulnerability NAT works well with the implementation of RFC 1918 addressing scheme, it also has the privacy benefit of hiding real internal
Discussion addresses. An attacker can learn more about a site’s private network once it has discovered the real IP addresses of the hosts within.
Checks
NET NAT Requirement
Review the firewall or premise router configuration to determine if NAT has been implemented.
Default Finding NAT has not been implemented. Mark this as N/A for SIPRNet enclaves that have not implemented NAT.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET NAT Requirement
Implement Network Address Translation (NAT) on the firewall or premise router for NIPRNet Enclaves.
Notes:
UNCLASSIFIED Page 5 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0201 V0014637 CAT II IPv6 route advertisements must be suppressed
8500.2 IA Control: DCBP-1, ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure that all external interfaces on Premise, AG, or Backdoor have router advertisements suppressed.
Vulnerability Many of the known attacks in stateless autoconfiguration are define in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was
Discussion originally suggested as mitigation for the link local attacks, but has since been found to have bootstrapping problems and to be very
administrative intensive. Due to first requiring an IP address in order to set up the IPSec security association creates the chicken-before-
the-egg dilemma. There are solutions being developed (Secure Neighbor Discovery and Cryptographic Generated Addressing) to
secure these threats but are not currently available at the time of this writing.
To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways will be
configured to suppress router advertisements.
Checks
NET IPv6 RA suppress IOS
Base Procedure:
On the network perimeter router’s external interface suppress the router advertisements.
IOS Procedure:
interface faste0/0
ipv6 nd ra suppress
Default Finding IPv6 route advertisements must be suppressed
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET IPv6 RA suppress
Base Procedure:
On the network perimeter routerÆs external interface suppress the router advertisements.
Notes:
Page 6 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0240 V0003143 CAT I Devices exist that have standard default passwords
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure all default manufacturer passwords are changed.
Vulnerability Devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to
Discussion the device and causing network, device, or information damage, or denial of service. Not changing the password in a timely manner
increases the likelihood that someone will capture or crack the password and gain unauthorized access to the device.
Checks
NET Password Protection
Interview the network administrator and attempt to logon to several devices.
Default Finding
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Password Protection
Ensure all communication devices are in compliance with password policy.
Notes:
NET0340 V0003013 CAT II Warning banner compliance to 8500.2 ECWM-1.
8500.2 IA Control: ECWM-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure warning banners are deployed on all network devices allowing SSH, Telnet, File Transfer Protocol (FTP), or
Hyper-Text Transfer Protocol (HTTP) access in accordance with DODI 8500.2 ECWM-1.
Vulnerability Failure to display the required login banner prior to logon attempts will limit the sites ability to prosecute unauthorized access and also
Discussion presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. Not
displaying the proper banner will also hamper the sites ability to monitor device usage.
Checks
NET Warning Banners
Have the network administrators sign onto each managed network device to ensure the DoD approved warning banners are
displayed before the password prompt and after a correct login.
Default Finding DOD approved warning banners, adhering to Appendix C of the Network Infrastructure STIG, are not displayed on network managed
Details devices.
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Warning Banner
Display the approved DOD login banner prior to a login attempt on all network devices allowing Telnet, File Transfer Protocol
(ftp), or Hyper Text Transfer Protocol (http) access.
Notes:
UNCLASSIFIED Page 7 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0400 V0003034 CAT II Interior routing protocols are not authenticated
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure neighbor authentication with IPSec AH or MD5 Signatures are implemented for interior routing
protocols with all peer routers within the same or between Autonomous Systems (AS).
Vulnerability A rogue router could send a fictitious routing update to convince a site’s premise router to send traffic to an incorrect or even a rogue
Discussion destination. This diverted traffic could be analyzed to learn confidential information of the site’s network, or merely used to disrupt the
network’s ability to effectively communicate with other networks.
Checks
NET MD5 Authentication
Determine what routing protocols have been implemented with internal neighbors. After identifying the routing protocol ensure
neighbor authentication is implemented using MD5. The following interior routing protocols support MD5: OSPFv2, IS-IS,
EIGRP, and RIP V2.
NET0400-CISCO
OSPF
interface Ethernet0
ip address 10.10.10.10 255.255.255.0
ip ospf message-digest-key 10 md5 mypassword
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
area 0 authentication message-digest
Note: Authentication has to be enabled for each area. In OSPF, an interface belongs to only one area; hence, there would
always be a network statement under the OSPF process ID for each interface that has OSPF traffic. The network statement
defines the area in which the network belongs. The MD5 key-id and password is defined under each interface connected to an
OSPF neighbor.
EIGRP
interface Ethernet0
ip address 10.10.10.10 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 mypassword
key chain mypassword
key 12345
key-string abcdefg
accept-lifetime infinite
router eigrp 1
network 10.0.0.0
no auto-summary
Default Finding MD5 is not used to authenticate routing protocol neighbors.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET MD5 Authentication
The router administrator will configure the routers so that MD5 authentication is used to authenticate routing protocol neighbors.
Notes:
Page 8 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0402 V0014664 CAT II OSPFv3 routing protocol is not authenticated
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure neighbor authentication is implemented between OSPFv3 peer routers within the same or between
autonomous systems (AS) using IPSec
Vulnerability OSPFv3 for IPv6 is a completely independent routing protocol than OSPFv2 for IPv4. Securing OSPFv2 in a dual stack environment
Discussion will not protect OSPFv3 protocol or the OSPFv3 routing table. They are ships-in-the-night routing protocols that do not interoperate. The
routing updates and routing tables are completely separate.
Generally, the point of an attack against a routing system falls into one of two categories: disrupting peering and falsifying routing
information. To ensure that OSPF for IPv6 packets are not altered and re-sent to the router, OSPF for IPv6 packets must be
authenticated.
Checks
NET OSPFv3 authentication
Base Procedure:
The authentication fields found in OSPFv2 have been removed from OSPFv3 packet for IPv6 thus no longer making MD5 an
authentication option. OSPF relies on the IP Authentication Header and the IP Encapsulating Security Payload to ensure
integrity, authentication and confidentiality of routing exchanges. Defining IPSec on the interface provides stronger security than
a definition for an OSPF area. Review the configuration for protocol authentication.
NET0402-CISCO
You must define the IPSec AH keys and SPI to use for each OSPF area. IOS 12.3T and later support IPSec AH for OSPF, but
they require you to enter a raw MD5 or SHA.1 HMAC key manually, 1st CISCO example.
OSPFv3 IPSec encapsulating security payload (ESP) encryption and authentication is available beginning in 12.4(9)T. Using
the null keyword following ESP implements ESP without encryption.
interface ethernet 0/0 Authentication Example using AH keys.
ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef
interface ethernet 0/0 ESP Example, encapsulates entire payload, null—with no encryption.
ipv6 ospf encryption ipsec spi 1001 esp null sha1123456789A123456789B123456789C123456789D
Default Finding
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET OSPFv3
The router administrator will configure the routers to use IPSec for routing peer authentication among routing protocol neighbors.
Notes:
UNCLASSIFIED Page 9 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0408 V0014665 CAT II Exterior routing protocols must authenticate
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure neighbor authentication with MD5 or IPSec is implemented for all BGP routing protocols with all
peer routers within the same or between autonomous systems (AS).
Vulnerability Unlike OSPF ships-in-the-night, the protocol BGP exchanges information on IPv4 and IPv6 routes concurrently. Two mechanisms
Discussion available to protect the integrity of BGP peers are TCP MD5 Signature and IPSec.
The simplest way to create havoc in a network is to inject bogus routes. On the other hand, an attack could be much more
sophisticated. A rogue router or device could send a fictitious routing update to convince an edge router to send traffic to an incorrect or
rogue destination. This diverted traffic could be analyzed to learn confidential information regarding the site’s network, or merely used to
disrupt the network’s ability to effectively communicate with other networks.
An autonomous system (AS) can advertise incorrect information through BGP update messages passed to routers from a neighboring
AS. A malicious AS can advertise a prefix originated from another AS and claim that it is the originator. Neighboring autonomous
systems receiving this announcement will believe that the malicious AS is the prefix owner and route packets to it. The prefix owner will
not receive the traffic that is supposed to be bound for it. Spoofed TCP segments could be introduced into the connection streams for
LDP sessions used to build LSPs. LDP hellos from peers that have no password are ignored. By configuring strict authentication
between LSR peers, LDP and RSVP sessions can be restricted and the integrity of LSPs can be guarded.
Checks
NET BGP Authentication
Base Procedure
Determine what routing protocols have been implemented on the edge. MD5 Signature is most common in current BGP
implementations, and sets up an effective signature for the TCP packets based on a cryptographic protection. You can apply
IPSec to BGP traffic. IPSec is a protocol suite used for protecting IP traffic at the packet level. IPSec is based on security
associations (SAs). A security association is a simple connection that provides security services to the packets carried by the
SA. After configuring the security association, you can apply the SA to BGP peers. Following are some sample configurations
for BGP neighbor authentication using MD5. Reference the example in OSPFv3 for an IPSec examples. The protocol would
obviously change to BGP. Verify the authentication is implemented correctly.
NET0408 - CISCO
Following are some sample configurations for BGP neighbor authentication using MD5. Reference the example in OSPFv3 for
an IPSec example. The protocol would obviously change to BGP.
router bgp 100
neighbor external-peers peer-group
neighbor 171.69.232.90 remote-as 200
neighbor 171.69.232.90 peer-group external-peers
neighbor 171.69.232.100 remote-as 300
neighbor 171.69.232.100 peer-group external-peers
neighbor 171.69.232.90 password xxxxxxxxxx
neighbor 171.69.232.100 password xxxxxxxxxx
router bgp 100
neighbor IPv6-external-peers peer-group
neighbor 2001:100:3:4::1 remote as 200 ! for EBGP peering, over IPv6
neighbor 2001:100:3:4::1 peer-group IPv6-external-peers
neighbor 2001:100:3:4::1 password xxxxxxxxxx
Note: The neighbor/password statement can be applied to either the peer-group or the neighbor definition.
Default Finding Exterior routing protocols do not authenticate.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET BGP Authentication
The router administrator will configure the routers so that MD5 or IPSec AH authentication is used to authenticate routing
protocol neighbors.
Notes:
Page 10 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
UNCLASSIFIED Page 11 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0425 V0007009 CAT I An Infinite Lifetime key has not been implemented
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure the lifetime of a MD5 Key expiration is set to never expire. The lifetime of the MD5 key will be configured as
infinite for route authentication, if supported by the current approved router software version.
Note: Only Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.
Vulnerability Only Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. When
Discussion configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration
dates—both with a 180-day lifetime. A third key must also be defined with an infinite lifetime. Both of these steps will ensure that there
will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication
cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and
synchronization has occurred with all peers.
Checks
NET MD5 Lifetime Key
Review the running configuration to determine if key authentication has been defined with an infinite lifetime.
RIP 2 Example EIGRP Example
interface ethernet 0 interface ethernet 0
ip rip authentication key-chain trees ip authentication mode eigrp 1 md5
ip rip authentication mode md5 ip authentication key-chain eigrp 1 trees
router rip router eigrp 1
network 172.19.0.0 network 172.19.0.0
version 2
key chain trees key chain trees
key 1 key 1
key-string willow key-string willow
accept-lifetime 22:45:00 Feb 10 2005 22:45:00 Aug 10 2005 accept-lifetime 22:45:00 Feb 10 2005 22:45:00 Aug 10 2005
send-lifetime 23:00:00 Feb 10 2005 22:45:00 Aug 10 2005 send-lifetime 23:00:00 Feb 10 2005 22:45:00 Aug 10 2005
key 2 key 2
key-string birch key-string birch
accept-lifetime 22:45:00 Aug 9 2005 22:45:00 Feb 10 2006 accept-lifetime 22:45:00 Dec 10 2005 22:45:00 Feb 10 2006
send-lifetime 23:00:00 Aug 9 2005 22:45:00 Feb 10 2006 send-lifetime 23:00:00 Dec 10 2005 22:45:00 Jan 10 2006
key 9999 key 9999
key-string maple key-string maple
accept-lifetime 22:45:00 Feb 9 2005 infinite accept-lifetime 22:45:00 Feb 9 2005 infinite
send-lifetime 23:00:00 Feb 9 2005 infinite send-lifetime 23:00:00 Feb 9 2005 infinite
Notes: Note: Only Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use
key chains
Notes: When using MD5 authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to
know the time!
Notes: Must make this a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be
decremented by one (9998, 9997…)
Default Finding An Infinite Lifetime key has not been implemented for EIGRP or RIPv2.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET MD5 Lifetime Key
This check is in place to ensure keys do not expire creating a DOS due to adjacencies being dropped and routes being aged
out. The recommendation is to use two rotating six month keys with a third key set as infinite lifetime. The lifetime key should be
changed 7 days after the rotating keys have expired and redefined.
Notes:
Page 12 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0433 V0015432 CAT II AAA Method list is not applied or implemented
8500.2 IA Control: References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure an authentication method list is applied to all interfaces via an explicit definition or by use of default key word.
Vulnerability The AAA authentication login statement identifies the method list name and the method used to authenticate. A named list of
Discussion authentication methods must be defined and applied to each interfaces using the authentication method. The method list defines the
types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface
before any of the defined authentication methods will be performed. The only exception is the default method list (which is named
"default"). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list
overrides the default method list.
Checks
NET AAA Method list implemente
If the following "Default List is coded in the AAA configuration than explicit Method Lists are not required on each interface.
CISCO Example:
aaa authentication login default local
If the default method list is not defined a configuration similar to the following should be defined for each interface.
CISCO Example:
aaa authentication login "listname"
line vty 0 4
login authentication "listname"
Default Finding An authentication method list is not applied to all interfaces via an explicit definition or by use of default key word.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET AAA Method implemented
Have the SA define a Default Method list or apply a method list to each interface.
Notes:
UNCLASSIFIED Page 13 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0440 V0003966 CAT II Emergency accounts limited to one.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure when an authentication server is used for administrative access to the device, only one account is defined
locally for use in an emergency (i.e., authentication server or connection to the device is down).
Vulnerability Authentication for administrative access to the router is required at all times. A single account can be created on the routers local
Discussion database for use in an emergency such as when the authentication server is down or connectivity between the router and the
authentication server is not operable.
Checks
NET Emergency Account
Base Procedure: Review the running configuration and verify that only one local account has been defined.
NET0440 - CISCO
username xxxxxxx password 7 xxxxxxxxxxx
Default Finding More than one local account has been defined to the router.
Details
The username and password is not stored in a sealed envelope kept in a safe.
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Emergency Account
Insure that only one local account has been defined on the router and store the username and password in a secured manner.
Notes:
Page 14 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0441 V0015434 CAT I Emergency account privilege level is not set
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure the emergency account defaults to the lowest authorization level and the password is in a locked safe.
Vulnerability The emergency account must be protected by the IAO in a protected safe and assigned the lowest privilege level.
Discussion
Checks
NET emergency Acct privilege
The default CISCO privilege level 0 allows the enable command to be executed. The CISCO example below details how this
can be set up:
username emergency-acct privilege 0 password Xx1!abcd
DEFAULTS:
Privilege Level 0 Includes the disable, enable, exit, help, and logout commands
Privilege Level 1 Includes all user-level commands at the router> prompt
Privilege Level 15 Includes all enable-level commands at the router# prompt
Default Finding Emergency account privilege level is not set to lowest privilege level.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Emergency Acct privileges
Configure the emergency account with the lowest privilege level. The user using this account should be able to use the enable
command. If the user knows the enable secret password, recovery and/or admistrative privileges should work.
Notes:
UNCLASSIFIED Page 15 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0465 V0003057 CAT II Assign lowest privilege level to user accounts.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure all user accounts are assigned the lowest privilege level that allows them to perform their duties.
Vulnerability By not restricting router administrators to their proper privilege levels, access to restricted functions may be allowed before they are
Discussion trained or experienced enough to use those functions. Network disruptions or outages could be caused by mistakes made by
inexperienced administrators.
Checks
NET Lowest Privilege Level
BASE Procedure: There are 16 possible privilege levels that can be specified for users in the router configuration. The levels
can map to commands, which have set privilege levels--or you can reassign levels to commands. Usernames with
corresponding passwords can be set to a specific level.
NET0465 - CISCO
There would be several username name password password followed by username name privilege level. The user will
automatically be granted that privilege level upon logging in. Below is an example of assigning a privilege level to a local user
account and changing the default privilege levels of the configure terminal command.
username junior-engineer1 privilege 7 password xxxxxx
username senior-engineer1 privilege 15 password xxxxxx
privilege exec level 7 configure terminal
Note The above example only covers local accounts, you will still need to check the accounts and their associated privilege
levels configured in the authentication server. You can also use TACACS for even more granularity at the command level.
Below is an example of CiscoSecure TACACS+ server defining the privilege level.
user = junior-engineer1 {
password = clear "xxxxx"
service = shell {
set priv-lvl = 7
}
}
Default Finding The following user accounts exist that are assigned higher privilege levels than are required for the performance of the users duties:
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Lowest Privilege Level
The router administrator will assign router accounts with the least privilege rule. Each user will have access to only the
privileges they require to perform their respective duties. Access to the highest privilege levels should be restricted to a few
users.
Notes:
Page 16 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0700 V0003160 CAT II Minimum operating system release level
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will implement the latest stable operating system on each router IAW the current Network Infrastructure
Security Checklist.
Vulnerability Network devices that are not running the latest tested and approved versions of software are vulnerable to network attacks. Running
Discussion the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches,
as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially
harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.
Checks
NET OS Current
Base Procedure
Have the SA display the OS version currently in operation. Verify the release is not End of Life. The OS must be current with
related fixes and patches.
NET0700 - CISCO
Have the router administrator execute the show version command on all of the Cisco routers to verify that the installed IOS
version is at 12.3 or later. Software Major Release 12.3 was posted to CCO May 19, 2003. You will find in some cases version
12.2 is the most current version, typically in the CAT IOS 6000 switch family only.
Default Finding IOS version 12.3 has not been implemented on all Cisco routers.
Details
JUNOS version is at 7.3 on J, M and T series and 5.3.2 on E series..
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET OS Current
Later OS Software releases contain vulnerabilities which may not have been addressed in current versions.
Operating Systems are not IAW with Network Infrastructure Security Checklist
Update Operating Systems on all routers.
Notes:
UNCLASSIFIED Page 17 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0710 V0003077 CAT III The Cisco discovery protocol (CDP) is not disabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure CDP is disabled on all active external interfaces on Cisco premise routers.
Vulnerability CDP is primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of
Discussion SNMP with the CDP Management Information Base (MIB) allows network management applications to learn the device type and the
SNMP agent address of neighboring devices; thereby, enabling the application to send SNMP queries to those devices. CDP is also
media- and protocol-independent as it runs over the data link layer; therefore, two systems that support different network-layer protocols
can still learn about each other. Allowing CDP messages to reach external network nodes is dangerous as it provides an attacker a
method to obtain information of the network infrastructure that can be useful to plan an attack.
Checks
NET CDP Internal Only
Review all Cisco router configurations to ensure that no cdp run is included in the global configuration or no cdp enable is
included for each active external interface.
Default Finding The Cisco discovery protocol (CDP) is enabled on the edge router(s) external interfaces.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET CDP Internal Only
Ensure that no cdp run is included in the global configuration or no cdp enable is included for each active external interface.
Notes:
Page 18 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0720 V0003078 CAT III TCP and UDP small server services are not disabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure TCP & UDP small servers are disabled.
Vulnerability Cisco IOS provides the "small services" that include echo, chargen, and discard. These services, especially their User Datagram
Discussion Protocol (UDP) versions, are infrequently used for legitimate purposes. However, they have been used to launch denial of service
attacks that would otherwise be prevented by packet filtering. For example, an attacker might send a DNS packet, falsifying the source
address to be a DNS server that would otherwise be unreachable, and falsifying the source port to be the DNS service port (port 53). If
such a packet were sent to the Cisco's UDP echo port, the result would be the Cisco sending a DNS packet to the server in question.
No outgoing access list checks would be applied to this packet, since it would be considered locally generated by the router itself. The
small services are disabled by default in Cisco IOS 12.0 and later software. In earlier software, they may be disabled using the
commands no service tcp-small-servers and no service udp-small-servers.
Checks
NET TCP/UDP small -servers
IOS Procedure: Review all Cisco router configurations to verify that service udp-small-servers and service tcp-small-servers are
not found.
Note: The TCP and UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are
disabled by default on Cisco IOS Software Versions 11.3 and later.
Default Finding TCP and UDP small server services are enabled on the router(s).
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET TCP/UDP small-servers
The router administrator will change the router configuration files to include the following CISCO commands: no service tcp-
small-servers and no service udp-small-servers, for each router running an IOS version prior to 12.0. This is the default for IOS
versions 12.0 and later (I.E., these commands will not appear in the running configuration.)
Notes:
UNCLASSIFIED Page 19 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0722 V0005614 CAT III Service Pad is enabled on the router.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure PAD services are disabled unless approved by the DAA.
Vulnerability Packet Assembler Disassembler (PAD) is an X.25 component seldom used. It collects the data transmissions from the terminals and
Discussion gathers them into a X.25 data stream and vice versa. PAD acts like a multiplexer for the terminals. If enabled, it can render the device
open to attacks. Some voice vendors use PAD on internal routers.
Checks
NET PAD Services
IOS Procedure: Review all Cisco router configurations to verify that service pad is not found.
Default Finding Service Pad is enabled on the router.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET PAD Services
The router administrator will change the router configuration files to include the following CISCO commands: no service pad
Notes:
NET0724 V0005615 CAT III TCP Keep-Alives for Telnet Session must be enabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure TCP Keep-Alives for Telnet Session are enabled.
Vulnerability Idle logged-in telnet sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually
Discussion test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally,
the opposite end of the connection may still believe the session is available. These “orphaned” sessions use up valuable router
resources and can also be hijacked by an attacker. To mitigate this risk, routers must be configured to send periodic keepalive
messages to check that the remote end of a session is still connected. If the remote device fails to respond to the keepalive message,
the sending router will clear the connection and free resources allocated to the session.
Checks
NET TCP Keep-alives
IOS Procedure: Review all Cisco router configurations to verify that tcp-keepalives-in are enabled.
Default Finding TCP Keep-Alives for Telnet Session are not enabled.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET TCP Keep-alives
The router administrator will change the router configuration files to include the following CISCO commands: service tcp-
keepalives in
Notes:
Page 20 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0726 V0005616 CAT III Identification support is enabled.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure identification support is not enabled.
Vulnerability Identification support allows one to query a TCP port for identification. This feature enables an unsecured protocol to report the identity
Discussion of a client initiating a TCP connection and a host responding to the connection. Identification support, can connect a TCP port on a
host, issue a simple text string to request information, and receive a simple text-string reply. This is another mechanism to learn the
router vendor, model number, and software version being run.
Checks
NET IDENT Support disabled
Review all Cisco router configurations to verify that identification support is not enabled via ip identd IOS command.
Default Finding Identification support is enable and must be disabled.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET IDENT Support Disabled
The router administrator will change the router configuration files to include the following CISCO commands: no identd if its
enabled.
Notes:
NET0730 V0003079 CAT III The finger service is not disabled on all routers.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure Finger is disabled.
Vulnerability The IOS finger service supports the UNIX finger protocol, which is used for querying a host about the users that are logged on. This
Discussion service is not necessary for generic users. If an attacker would find out who is using the network, they may use social engineering
practices to try to elicit classified DOD information.
Checks
NET Finger Disabled
Base Procedure:
Ensure finger has not been implemented in the configuration by verifying the vendor default and reviewing the configuration.
NET0730 - CISCO
Review all Cisco router configurations to verify that the IOS command, no ip finger for IOS version 12.0 and higher and no
service finger for earlier version, is included.
Default Finding The finger service is enabled on the router(s).
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Finger Disabled
Verify the finger service is disabled.
Notes:
UNCLASSIFIED Page 21 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0740 V0003085 CAT II HTTP server is not disabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure HTTP servers are disabled.
Vulnerability The additional services that the router is enabled for increases the risk for an attack since the router will listen for these services. In
Discussion addition, these services provide an unsecured method for an attacker to gain access to the router.Most recent software versions
support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to
interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the
network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a
relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since
the router will listen for these services.
Checks
NET HTTP Server
IOS Procedure: Verify http-server is not defined in the configuration. The feature is disabled by default in IOS version 12.0;
hence the no ip http-server command will not appear in the running configuration.
Default Finding The following servers were enabled on the router:
Details
HTTP
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET HTTP Server
The router administrator will change the router configuration files to include the Cisco command, no ip http-server, for all routers
with an IOS version after 11.3 and prior to 12.0. IOS versions 12.0 and later have this disabled by default and this will not
appear in the running configuration.
Notes:
Page 22 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0742 V0014668 CAT II FTP server is not disabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure FTP server is disabled.
Vulnerability The additional services enabled on a router increases the risk for an attack since the router will listen for these services. In addition,
Discussion these services provide an unsecured method for an attacker to gain access to the router.
Checks
NET FTP Server
Base Procedure:
Ensure ftp server has not been implemented in the configuration by verifying the vendor default and reviewing the configuration.
NET0742 - CISCO
IOS Procedure: Verify ftp-server is not defined in the configuration. The feature is disabled by default in IOS version 12.0; hence
the no ip ftp-server command will not appear in the running configuration.
Default Finding FTP server is not disabled on the router.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET FTP Server
The router administrator will disable ftp server features for all routers.
Notes:
UNCLASSIFIED Page 23 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0744 V0014669 CAT II BSD commands are not disabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure BSD r command services are disabled.
Vulnerability Berkeley Software Distribution (BSD) “r” commands allow users to execute commands on remote systems using a variety of protocols.
Discussion The BSD "r" commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) are designed to provide convenient remote access without
passwords to services such as remote command execution (rsh), remote login (rlogin), and remote file copy (rcp and rdist). The
difficulty with these commands is that they use address-based authentication. An attacker who convinces a server that he is coming
from a "trusted" machine can essentially get complete and unrestricted access to a system. The attacker can convince the server by
impersonating a trusted machine and using IP address, by confusing DNS so that DNS thinks that the attacker's IP address maps to a
trusted machine's name, or by any of a number of other methods
Checks
NET BSD 'r' commands
Base Procedure:
Ensure ftp server has not been implemented in the configuration by verifying the vendor default and reviewing the configuration.
NET0744 - CISCO
Verify the BSD ‘r’ commands are not defined in the configuration. The feature is disabled by default in IOS version 12.0. Some
of the common commands are: ip rcmd rcp-enable, ip rcmd rsh-enable
Default Finding BSD commands are not disabled on the router.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET BSD 'r' commands
The router administrator will change the router configuration to remove BSD commands from all routers.
Notes:
Page 24 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0750 V0003086 CAT III The bootp service is not disabled on all routers.
8500.2 IA Control: ECSD-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure Bootp server is disabled.
Vulnerability Bootp is a user datagram protocol (UDP) that can be used by Cisco routers to access copies of Cisco IOS Software on another Cisco
Discussion router running the Bootp service. In this scenario, one Cisco router acts as a Cisco IOS Software server that can download the software
to other Cisco routers acting as Bootp clients. In reality, this service is rarely used and can allow an attacker to download a copy of a
routers Cisco IOS Software.
Checks
NET Bootp Disabled
IOS Procedure: Review all Cisco router configurations to verify that the IOS command no ip bootp server is present.
Default Finding The bootp service is enabled on the following routers:
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Bootp Disabled
The router administrator will change the router configuration files to include the Cisco command, no ip bootp server, for each
router.
Notes:
NET0760 V0003080 CAT II Configuration auto-loading must be disabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure configuration auto-loading is disabled.
Vulnerability The routers can find their startup configuration either in their own NVRAM or load it over the network via TFTP or Remote Copy (rcp).
Discussion Obviously, loading in from the network is taking a security risk. If the startup configuration was intercepted by an attacker, it could be
used to either gain access to the router.
Checks
NET Boot Network
IOS Procedure: Ensure the commands boot network and service config are not included. Note: Disabled by default in version
12.0 , not be displayed in the running configuration.
Default Finding The no boot network and no service config commands are not employed to restrict auto-loading of the startup configuration via TFTP.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Boot Network
The router administrator will change the router configuration files to include the CISCO commands, no boot network and no
service config, for each router.
Notes:
UNCLASSIFIED Page 25 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0770 V0003081 CAT II IP Source Routing is not disabled on all routers.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure IP source routing is disabled.
Vulnerability Source routing is a feature of IP, whereby, individual packets can specify routes. This feature is used in several different network
Discussion attacks.
Checks
NET Source-Route Disabled
Base Procedure: Review the configuration to determine if source routing is turned on. Verify the vendor defaults do not enabled
this function.
NET0770 - CISCO
Ensure the command no ip source-route is included.
Default Finding IP Source Routing is enabled on the router(s).
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Source-Route Disabled
The router administrator will change the router configuration files to include the CISCO command, no ip source-route, for each
router.
Notes:
Page 26 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0780 V0003082 CAT II Proxy ARP must be disabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure Proxy ARP is disabled.
Vulnerability When proxy ARP is enabled on a Cisco router, it allows that router to extend the network (at Layer 2) across multiple interfaces (LAN
Discussion segments). Because proxy ARP allows hosts from different LAN segments to look like they are on the same segment, proxy ARP is
only safe when used between trusted LAN segments. Attackers can leverage the trusting nature of proxy ARP by spoofing a trusted
host and then intercepting packets. You should always disable proxy ARP on router interfaces that do not require it, unless the router is
being used as a LAN bridge.
Checks
NET IP Proxy-arp disabled
IOS Procedure: Ensure the command no ip proxy-arp is included for every active interface.
Default Finding The IP proxy Address Resolution Protocol (ARP) service is enabled on the router interface.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET IP Proxy-arp disabled
The router administrator will change the router configuration files to include the no ip proxy-arp command for each interface of
every router.
Notes:
NET0781 V0005618 CAT II Gratuitous ARP must be disabled.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure Gratuitous ARP is disabled.
Vulnerability A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the
Discussion network about a hosts IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly,
causing network malfunction.
Checks
NET Gratious Arp Disabled
IOS Procedure: Review all router configurations and verify ip gratuitous-arps is not configured. Disabled by default in 12.3 and
above.
Default Finding The IP gratuitous Address Resolution Protocol (ARP) service is enabled on the router interface.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Gratious Arp Disabled
The router administrator will ensure the router configuration files do not include ip gratuitous-arps command.
Notes:
UNCLASSIFIED Page 27 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0790 V0003083 CAT III IP directed broadcasts are not disabled.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure IP directed broadcast is disabled on all router interfaces.
Vulnerability An IP directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine.
Discussion The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a
link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, which is connected
directly to the target subnet, can conclusively identify a directed broadcast.
IP directed broadcasts are used in the extremely common and popular smurf, or Denial of Service (DoS), attacks. In a smurf attack, the
attacker sends ICMP echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target
subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger
stream of replies, which can completely inundate the host whose address is being falsified. This service should be disabled on all
interfaces when not needed to prevent smurf and DoS attacks.
Checks
NET Direct Broadcast
IOS Procedure: IP directed broadcast is disabled by default in IOS version 12.0 and higher so the command no ip directed-
broadcast will not be displayed in the running configuration—verify that the running configuration does not contain the command
ip directed-broadcast. For versions prior to 12.0 ensure the command no ip directed-broadcast is displayed in the running
configuration.
Default Finding IP directed broadcasts are not disabled on the following routers:
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Direct Broadcast
The router administrator will change the router configuration files to disable the IP directed broadcast on all interfaces.
Notes:
Page 28 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0800 V0003084 CAT II Filter ICMP on external interface
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure ICMP unreachable notifications, mask replies, and redirects are disabled on all external interfaces
of the premise router.
Vulnerability The Internet Control Message Protocol (ICMP) supports IP traffic by relaying information about paths, routes, and network conditions.
Discussion Routers automatically send ICMP messages under a wide variety of conditions. Three ICMP messages are commonly used by
attackers for network mapping and diagnosis: Host unreachable, Redirect, and Mask Reply.
Checks
NET ICMP Unreachables
Base Procedure:
Review the active configuration to determine if controls have been defined to ensure the router does not send ICMP
unreachables, redirects, and mask replies out any external interfaces.
NET0800 - CISCO
For IOS version 12.0 and later review the running configuration of the premise router and ensure the following commands are
not present on all external interfaces: ip unreachables, ip redirects, and ip mask-reply. For versions prior to 12.0, ensure the
following commands are present: no ip unreachable, no ip redirects, and no ip mask-reply. The configuration should look similar
to the following:
interface FastEthernet 0/0
ip address 199.36.92.1 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip mask-reply
In addition, host unreachable messages will be sent in reply to black-hole routes. Be sure that the Null0 interface also has no ip
unreachable defined if there are static routes destined for this interface.
interface null0
no ip unreachables
Default Finding The following ICMP messages are not disabled on routers external interfaces:
Details
Host unreachable
Redirect
Mask Reply
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET ICMP Unreachables
The router administrator will change the router configuration files to ensue no ip unreachables, no ip redirects and no ip mask-
reply are enabled in the OS.
Notes:
UNCLASSIFIED Page 29 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0812 V0005620 CAT III NTP clients must receive services from premise
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure all internal routers are configured to use the premise router to synchronize time in an external trusted NTP
implementation.
Vulnerability NTP is insecure and without peering within the enclave Network Time Protocol can be used by an attacker to send NTP packets to
Discussion crash or overload the router.
Checks
NET NTP Client use Premise
Base Procedure: Review the router configurations and verify that NTP clients have been defined to use the premise router.
NET0812 - CISCO
IOS Procedure: Review the router configurations and verify that NTP clients have been defined similar to the following example:
ntp server 129.237.32.2 (source IP address of server)
Default Finding The router is not configured to a local NTP server.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET NTP Client use Premise
Implement a secure NTP process using a local NTP server.
Notes:
Page 30 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0813 V0014671 CAT II MD5 authentication not used for NTP
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability When the NTP source originates from an internal clock, the router administrator will ensure all routers use MD5 to authenticate the time
source.
Vulnerability Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to
Discussion falsify NTP information. Implementing MD5 authentication between NTP peers can mitigate this risk. When MD5 authentication is
enforced, there is a greater level of assurance that NTP updates are from a trusted source.
Checks
NET NTP MD5 use
Base Procedure: Review router configurations to verify NTP sessions are authenticated using MD5.
NET NTP MD5 use IOS
IOS Example:
You should find a configuration similar to the example below:
ntp server 129.237.32.2
…
ntp authenticate
ntp authentication-key 999 md5 xxxxxxxxx
ntp trusted-key 10
Default Finding NTP authentication is not implemented when the NTP source originates from an internal clock.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET NTP MD5 use
Ensure that routers use MD5 to authenticate the time source from internal clocks.
Notes:
UNCLASSIFIED Page 31 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0820 V0003020 CAT III DNS servers must be defined for client resolver.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure that the DNS servers are defined if the router is configured as a client resolver.
Vulnerability The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example,
Discussion suppose a source host wishes to establish a Telnet connection with a destination host and queries a DNS server for the IP address of
the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will
establish a connection with the attackers host, rather than the intended target. The user on the source host might then provide logon,
authentication, and other sensitive data.
Checks
NET DNS Servers for Client
Base Procedure: Review the running configuration to ensure that DNS servers have been defined if the router had been
configured as a client resolver.
NET0820 - CISCO
The configuration should look similar to one of the following examples:
! configure as client resolver and specify DNS server
ip domain-lookup
ip name-server 192.168.1.253
or
! disable client resolver
no ip domain-lookup Note: ip domain-lookup is enabled by default.
Default Finding The primary and secondary DNS server addresses are not set on the router.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET DNS Servers for Clients
The router administrator will change the router configuration files to include the primary and secondary domain servers for each
router.
Notes:
Page 32 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0890 V0003021 CAT II SNMP access is not restricted by IP address
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will restrict SNMP access to the router from only authorized internal IP addresses.
Vulnerability Detailed information about the network is sent across the network via SNMP. If this information is discovered by attackers it could be
Discussion used to trace the network, show the networks topology, and possibly gain access to network devices.
Checks
NET SNMP Access Restricted
Base Procedure: Review all router configurations to ensure ACLs are in place to limit SNMP access to specific NMS hosts.
NET0890 - CISCO
IOS EXample:
access-list 10 permit host 7.7.7.5
snmp-server community <clear text string> ro 10
Default Finding ACLs are not used to restrict access to SNMP sessions to approved IP addresses.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET SNMP Access Restricted
The router administrator will change the router configuration files to include ACLs to limit access to SNMP sessions to allowed
IP addresses only.
Notes:
NET0892 V0003022 CAT II SNMP is blocked at all external interfaces
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure SNMP is blocked at all external interfaces.
Vulnerability Detailed information about the network is sent across the network via SNMP. If this information is discovered attackers, it could be
Discussion used to trace the network, show the networks topology, and gain access to network devices.
Checks
NET SNMP External IP Blocked
Verify that the IP addresses permitted SNMP access to the routers belong to the internal network.
Default Finding SNMP access is not restricted to the internal network.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET SNMP External IP Blocked
The router administrator will change the router configuration files to include to limit access to SNMP sessions to the internal
network.
Notes:
UNCLASSIFIED Page 33 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0894 V0003969 CAT II SNMP write access to the router is enabled.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure SNMP is only enabled in the read mode; Read/Write is not enabled unless approved and
documented by the IAO/NSO.
Vulnerability Enabling write access to the router via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables
Discussion that can disrupt network operations.
Checks
NET SNMP Read/Write Access
Base Procedure: Review all configurations to ensure SNMP access from the network management stations is read only.
NET0894 - CISCO
The configuration should look similar to the following:
access-list 10 permit host 7.7.7.5
snmp-server community xxxxxxxxx ro 10
Default Finding Write access to the router via SNMP is enabled.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET SNMP Read/Write Access
Disable SNMP write access to the router.
Notes:
Page 34 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0897 V0014672 CAT III Authentication traffic does not use loopback
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the router’s loopback address is used as the source address when originating TACACS+ or
RADIUS traffic.
Vulnerability Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers.
Discussion It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since
the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical
interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the
numerous physical interface addresses. TACACS+, RADIUS messages sent to management servers should use the loopback address
as the source address.
Checks
NET Loopback source TACACS
Base Procedure: Review the configuration and verify the loopback address is used as the source address when originating
TACACS+ or RADIUS traffic.
NET Loopback source TACACS IOS
IOS Procedure:
Verify that a loopback address has been configured as shown in the following example:
interface loopback 0 Note: IOS allows multiple loopback interfaces to be defined.
ip address 10.10.2.1 255.255.255.255
…
ip tacacs source-interface Loopback0
ip radius source-interface Loopback0
Default Finding The router’s loopback address is not used as the source address when originating TACACS+ or RADIUS traffic.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Loopback source TACACS
Ensure that the routerÆs loopback address is used as the source address when originating traffic.
Notes:
UNCLASSIFIED Page 35 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0898 V0014673 CAT III Syslog traffic is not using loopback address
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the router’s loopback address is used as the source address when originating syslog traffic.
Vulnerability Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers.
Discussion It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since
the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical
interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the
numerous physical interface addresses. Syslog messages sent to management servers should use the loopback address as the source
address.
Checks
NET Loopback source SYSLOG
Base Procedure: Review the configuration and verify logging data uses the loopback interface.
NET0898 - CISCO
Verify that a loopback address has been configured as shown in the following example:
interface loopback 0
ip address 10.10.2.1 255.255.255.255 Note: IOS allows multiple loopback interfaces to be defined.
…
logging on
logging host 192.168.1.100
logging source-interface Loopback0
Default Finding
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Loopback source SYSLOG
Ensure that the routerÆs loopback address is used as the source address when originating traffic.
Notes:
Page 36 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0899 V0014674 CAT III Loopback addr is not used as the source IP for NTP
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the router’s loopback address is used as the source address when originating NTP traffic.
Vulnerability Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers.
Discussion It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since
the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical
interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the
numerous physical interface addresses. NTP messages sent to management servers should use the loopback address as the source
address.
Checks
NET Loopback source NTP
Base Procedure: Review the configuration and verify NTP data uses the loopback interface.
NET0899
IOS Procedure: Verify that a loopback address has been configured as shown in the following example:
interface loopback 0
ip address 10.10.2.1 255.255.255.255 Note: IOS allows multiple loopback interfaces to be defined.
…
ntp update-calendar
ntp server 129.237.32.2
ntp server 142.181.31.6
ntp source Loopback0
Default Finding Loopback addr is not used as the source IP for NTP.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Loopback source NTP
Ensure that the routerÆs loopback address is used as the source address when originating traffic.
Notes:
UNCLASSIFIED Page 37 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0900 V0014675 CAT III SNMP traffic does not use loopback
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the router’s loopback address is used as the source address when originating SNMP traffic.
Vulnerability Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers.
Discussion It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since
the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical
interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the
numerous physical interface addresses. SNMP messages sent to management servers should use the loopback address as the source
address.
Checks
NET Loopback source SNMP
Base Procedure: Review the configuration and verify SNMP data uses the loopback interface.
NET0900 - CISCO
Verify that a loopback address has been configured as shown in the following example:
interface loopback 0
ip address 10.10.2.1 255.255.255.255 Note: IOS allows multiple loopback interfaces to be defined.
…
snmp-server trap-source Loopback0
Default Finding The router’s loopback address is not used as the source address when originating SNMP traffic.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Loopback source SNMP
Ensure that the routerÆs loopback address is used as the source address when originating traffic.
Notes:
Page 38 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0901 V0014676 CAT III Netflow traffic is not using loopback
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the router’s loopback address is used as the source address when originating NetFlow traffic.
Vulnerability Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers.
Discussion It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since
the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical
interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the
numerous physical interface addresses. Netflow messages sent to management servers should use the loopback address as the
source address.
Checks
NET Loopback source NetFlow
Base Procedure: Review the configuration and verify NetFlow data uses the loopback interface.
NET0901 - CISCO
Verify that a loopback address has been configured as shown in the following example:
interface loopback 0
ip address 10.10.2.1 255.255.255.255 Note: IOS allows multiple loopback interfaces to be defined.
…
ip flow-sampling-mode packet-interval 100
ip flow-export destination 192.168.3.33 9991
ip flow-export source Loopback0
Default Finding The router’s loopback address is not used as the source address when originating NetFlow traffic.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Loopback source NewFlow
Ensure that the routerÆs loopback address is used as the source address when originating traffic.
Notes:
UNCLASSIFIED Page 39 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0902 V0014677 CAT III FTP/TFTP traffic does not use loopback
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the router’s loopback address is used as the source address when originating TFTP or FTP traffic.
Vulnerability Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers.
Discussion It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since
the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical
interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the
numerous physical interface addresses. TFTP and FTP messages sent to management servers should use the loopback address as
the source address.
Checks
NET Loopback source TFTP / FTP
Base Procedure: Review the configuration and verify FTP or TFTP data uses the loopback interface.
NET0902 - CISCO
Verify that a loopback address has been configured as shown in the following example:
interface loopback 0
ip address 10.10.2.1 255.255.255.255 Note: IOS allows multiple loopback interfaces to be defined.
…
ip ftp username xxxxxxxxx
ip ftp password 7 xxxxxxxxxxxxxxxxxx
ip ftp source-interface Loopback0
…
ip tftp source-interface
Default Finding The router’s loopback address is not used as the source address when originating FTP or TFTP traffic.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Loopback source TFTP / FTP
Ensure that the routerÆs loopback address is used as the source address when originating traffic.
Notes:
Page 40 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0903 V0014681 CAT III BGP peering traffic does not use loopback
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the router’s loopback address is used as the source address for BGP peering sessions.
Vulnerability When the loopback address is used as the source for eBGP peering, the BGP session will be harder to hijack since it is hidden. This
Discussion makes it more difficult for a hacker to spoof an eBGP neighbor. A hacker must determine the eBGP speaker’s source address (among
other properties of the session) in order to spoof one of its eBGP neighbors. By using traceroute, a hacker can easily determine the
addresses for an eBGP speaker when the IP address of an external interface is used as the source address. The routers within the
iBGP mesh should also use loopback addresses as the source address when establishing BGP sessions with peers within its own
autonomous system.
Checks
NET Loopback source BGP peerin
Base Procedure: Review the configuration and verify BGP peering data uses the loopback interface.
NET0903 - CISCO
Step 1: Verify that a loopback address has been configured as shown in the following example:
interface loopback 0
ip address 10.10.2.1 255.255.255.255 Note: IOS allows multiple loopback interfaces to be defined.
…
router bgp 100
neighbor 200.200.200.2 remote-as 200
neighbor 200.200.200.2 update-source Loopback0
Default Finding The router’s loopback address is not used as the source address for BGP peering sessions.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Loopback source BGP peerin
Ensure that the routerÆs loopback address is used as the source address when originating traffic.
Notes:
UNCLASSIFIED Page 41 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0906 V0014683 CAT II IPv6 Undetermined Transport is not blocked
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the undetermined transport packet is blocked at the perimeter in an IPv6 enclave.
Vulnerability One of the fragmentation weaknesses known in IPv6 is the undetermined transport packet. This is a packet that contains an
Discussion undetermined protocol due to fragmentation. Depending on the length of the IPv6 extension header chain, the initial fragment may not
contain the layer four port information of the packet.
Checks
NET undetermined Transport
IOS Procedure: Verify that an ACL for IPv6 has been defined to deny packets with unknown or invalid payload, and log all
violations. The ACL should be defined on the ingress and egress filters and should look as shown in the following example:
ipv6 access-list 600
remark prohibit unknown protocols
deny ipv6 any any undetermined-trans log
…
Default Finding The undetermined transport packet is not blocked at the perimeter in an IPv6 enclave.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Undetermined Transport
Ensure the undetermined transport command is implemented.
Notes:
Page 42 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0907 V0014685 CAT II IPv6 Routing Header is not blocked
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will ensure the routing header extension is blocked, type 0 is rejected in an IPv6 enclave.
Vulnerability The Routing header is used by an IPv6 source to specify a list of intermediate nodes that a packet has to traverse on the path to its
Discussion destination. If the packet cannot take the path, it is returned to the source node in an ICMPv6 unreachable error message. This header
supports a function very similar to the IPv4 packet Loose Source Routing. The routing header can be used maliciously to send a
packet through a path where less robust security is in place, than through the presumably preferred path by routing protocols. Use of
the routing extension header has few legitimate uses other than as implemented by Mobile IPv6. The Routing header is identified by a
Next Header value of 43 and should be filtered by type using an ACL.
Checks
NET Routing Header
Verify that an ACL for IPv6 has been defined to deny IPv6 packets that include a Routing Header with Routing Type 0 by all
router interfaces. The ACL should be defined on the ingress and egress filters and should look as shown in the following
example:
IOS Procedure:
ipv6 access-list 600
remark prohibit IPv6 routing header
deny ipv6 any any routing-type 0 log
…
Default Finding The IPv6 routing header extension is not blocked, type 0 is rejected in an IPv6 enclave.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Routing Header
Ensure the undetermined transport command is implemented.
Notes:
UNCLASSIFIED Page 43 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0928 V0005607 CAT II Advertising unauthorized Bogon addresses
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The Router Administrator will have a procedure in place to check for changes and modify the BOGON/Martian list on a monthly basis.
Vulnerability It is a common best practice to block packets from an area of IP address space reserved but not yet allocated by the Internet Assigned
Discussion Numbers Authority (IANA) or a delegated Regional Internet Registry (RIS) are useless or forged for illegitimate purposes.
Checks
NET Route Advertisements
Inspect the router’s ACLs against the IANA Unallocated and Reserved IP list and ensure they are applied to the interface if the
site is in a permit any posture. If the site is in a deny all posture ensure the permit statements do not allow the bogon addreses
identified at the IANA web site. The current IANA listing can be found on the http://www.iana.org web site. The IANA IPv4
addresses need to be verified that they are block explicitly or by deny-by-default. The router administrator will have a procedure
in place to change or modify the BOGON/Martian list on a monthly basis if in a permit any any posture.
Default Finding The site is advertising unauthorized Bogon / Martian addresses.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Route Advertisements
The IAO/NSO will ensure that the site uses only authorized .mil addresses that have been registered and assigned to the
activity for advertisements.
Notes:
NET0948 V0014703 CAT II IPv6 Unique Local Unicast ADDR are not blocked
8500.2 IA Control: ECSC-1 References: INTEGRATED CONTINUITY PLANNING FOR DEFENSE
INTELLIGENCE
Vulnerability The IAO/NSO will ensure IPv6 Unique Local Unicast Addresses are blocked on the ingress and egress filter, (FC00::7).
Vulnerability The IANA has assigned the FC00::/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is a routable address that
Discussion is not intended to be on the Internet. Site border routers and firewalls should be configured to block any packets with ULA source or
destination addresses outside of the site. This will ensure that packets with Local IPv6 destination addresses will not be forwarded
outside of the site via a default route.
Checks
NET IPv6Unique Local Unicast F
Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or
inexplicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny the Unique Local Unicast addresses and
log all violations.
Default Finding IPv6 Unique Local Unicast addresses are not blocked by the enclave.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET IPv6 Unique Local Unicast
The router administrator will configure the router ACLs to restrict IP addresses that contain any Unique Local Unicast addresses.
Notes:
Page 44 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0949 V0005645 CAT II Routers are not configured with CEF enabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will enable CEF to improve router stability during a SYN flood attack to the network.
Vulnerability The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the
Discussion entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF
behaves more predictably when presented with large volumes of traffic addressed to many destinationssuch as a SYN flood attacks
that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a
substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for
CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache.
Note: Junipers FPC (Flexible PIC Concentrator) architecture with the integrated Packet Forwarding Engine provides similar functionality
and capabilities and is far superioer than the traditonal routing cache that is vulnerable to a DoS attack described above. The
forwarding plane on all Juniper M and T Series platforms are built around this architecture and therefore is not configurable. The
forwarding plane on all Juniper M and T Series platforms are built around the FPC (Flexible PIC Concentrator) architecture that has
similar capabilities as CEF. FPC is not configurable and is totally integrated with the Packet Forwarding Engine; hence, this will always
be not a finding.
Checks
NET CEF enabled
IOS Procedure: Review all Cisco routers to ensure that CEF has been enabled. The configuration should like similar to the
following: ip cef
CAVEAT: If the site has implemented SYN flood protection for the network using the perimeter firewall, there is not an
additional requirement to implement it on the router.
Default Finding Router administrator has not configured CEF.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET CEF enabled
The IAO will ensure that the ip cef command has been configured on Cisco routers.
Notes:
UNCLASSIFIED Page 45 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0953 V0014705 CAT II IPv6 routers are not configured with CEF enabled
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will enable CEF to improve router stability during a SYN flood attack in an IPv6 enclave.
Vulnerability The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the
Discussion entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF
behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks
that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a
substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for
CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache.
Note: Juniper’s FPC (Flexible PIC Concentrator) architecture with the integrated Packet Forwarding Engine provides similar
functionality and capabilities and is far superioer than the traditonal routing cache that is vulnerable to a DoS attack described above.
The forwarding plane on all Juniper M and T Series platforms are built around this architecture and therefore is not configurable. The
forwarding plane on all Juniper M and T Series platforms are built around the FPC (Flexible PIC Concentrator) architecture that has
similar capabilities as CEF. FPC is not configurable and is totally integrated with the Packet Forwarding Engine; hence, this will always
be not a finding.
Checks
NET IPv6 CEF enabled
IOS Procedure: Review all Cisco routers to ensure that CEF has been enabled. The configuration should like similar to the
following: ipv6 cef
Default Finding IPv6 routers are not configured with CEF enabled.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET IPv6 CEF enabled
The IAO will ensure that the ipv6 cef command has been configured on Cisco routers.
Notes:
Page 46 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET0965 V0005646 CAT II Must limit TCP connection requests wait times
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The router administrator will set the maximum wait interval for establishing a TCP connection request to the router to 10 seconds or
less, or implement a feature to rate-limit TCP SYN traffic destined to the router.
Vulnerability Upon responding to the initial SYN packet that requested a connection to the router for a specific service (i.e., Telnet, SSH, BGP, etc)
Discussion with a SYN ACK, a Cisco router will wait 30 seconds for the ACK from the requesting host that will establish the TCP connection. A
more aggressive interval for waiting for the TCP connection to be established will reduce the risk of putting the router out of service
during a SYN flood attack directed at a Cisco router. The wait time can be adjusted using the ip tcp syn wait-time command that should
be set to 10 seconds or less. If the router does not have any BGP connections with BGP neighbors across WAN links, this value could
be set to an even more aggressive interval.
Checks
NET TCP synwait-time 10
Base Procedure: Review the configuration and verify the TCP connection request to the device is set to 10 seconds or less or a
rate limit for TCP Syn has been implemented.
NET0965 - CISCO
IOS Procedure:
Review the router configuration to ensure the ip tcp synwait-time command is in place to monitor TCP connection requests to
the router. The configuration should look similar to the following:
ip tcp synwait-time 10
Default Finding Router administrator has not configured the router to protect itself against a TCP SYN flood attack.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET TCP synwait-time 10
The IAO will ensure that the ip tcp synwait-time has been configured on Cisco routers or rate limiting of TCP SYN traffic on
Juniper routers.
Notes:
UNCLASSIFIED Page 47 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET1020 V0003000 CAT III A log or syslog statement does not follow all deny
8500.2 IA Control: ECAT-1, ECAT-2, ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will ensure all attempts to any port, protocol, or service that is denied is logged.
Vulnerability Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done,
Discussion attempted to be done, and by whom in order to compile an accurate risk assessment. Auditing the actions on routers provides a means
to recreate an attack, or simply identify a misconfigured configuration.
Checks
NET Log Denied PPS denied
Base Procedure: Review the running configuration and verify that both the router’s ingress and egress ACLs have a log
keyword following every deny, discard or reject statement.
NET1020
access-list 100 permit tcp . . . . . . .
access-list 100 permit tcp . . . . . . .
……….
access-list 100 deny any log
Default Finding A log or syslog statement does not follow all deny, discard, or reject statements in the ingress or egress filter.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Log Denied PPS denied
The IAO will ensure that all deny statements in the ACL of the router have a log statement that follows.
Notes:
Page 48 of 86 UNCLASSIFIED
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET1021 V0004584 CAT III Router must log severity levels.
8500.2 IA Control: ECAT-1, ECAT-2, ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The IAO/NSO will configure all devices to log severity levels 0 through 7 and send log data to a syslog server.
Vulnerability Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration
Discussion errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are
the levels required to collect the necessary information to help in the recovery process.
Checks
NET Log Severity Levels
Base Procedure: Review all router configurations to ensure that all routers log messages for severity levels 0 through 6. By
specifying informational, all severity levels above will be included.
Logging
Level Severity Level Description
Emergencies 0
Alerts 1 Immediate Action Required
Critical 2 Critical Conditions
Errors 3 Error Conditions
Warnings 4 Warning Conditions
Notifications 5 Normal but Significant Conditions
Informational 6 Informational Messages
Debugging 7 Debugging Messages
NET1021 - CISCO
logging on
logging host 192.168.1.22
logging console critical
logging trap informational
logging facility local7
Note: The command logging on is the default. If you see the command no logging on, then all logging except console logging
will be disabled. The default trap level is informational so if a logging trap command were not present this would imply logging
trap informational.
Default Finding The router is not configured to log message severity levels 0-7 or the router is not configured to send syslog messages to the syslog
Details server.
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Log Severity Levels
The router administrator will configure the router to log message severity levels 0-6 and send syslog messages to the syslog
server.
Notes:
UNCLASSIFIED Page 49 of 86
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 DISA Field Security Operations
20 November 2007 Developed by DISA for the DoD
NET1028 V0003033 CAT III Restrict messages to the Syslog Server.
8500.2 IA Control: ECSC-1 References: NETWORK INFRASTRUCTURE SECURITY TECHNICAL
IMPLEMENTATION GUIDE
Vulnerability The syslog administrator will configure the syslog server to accept messages only from authorized devices (restricting access via
source and destination IP address).
Vulnerability Restrict access to the Syslog server by approved IP addresses/users. If an unauthorized user gains access to the Syslog server and it
Discussion is compromised, access to critical network information would be available. This information could be used to mount attacks against the
network.
Checks
NET Syslog Srv Restrict Access
Base Procedure: Review the syslog server configuration to ensure that it is configured to accept messages from only authorized
devices.
NET1028 - CISCO
access-list 120 deny udp any x.x.x.x x.x.x.x eq syslog
Default Finding The syslog server is not configured to restrict messages, via IP ACLs, from unauthorized devices.
Details
OPEN: NOT A FINDING: NOT REVIEWED: NOT APPLICABLE:
Fixes
NET Syslog Srv Restrict Access
The router administrator will configure the router to restrict syslog server messages to only authorized devices (restricting
access via source and destination IP address).
Notes:
Page 50 of 86 UNCLASSIFIED
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Network Security Checklist - Cisco Layer 3 Infrastructure Switch Version 7, Release 1.1 20 November 2007 DISA Field Security Operations Developed by DISA for the DoD
Discover the best professional documents and content resources in AnyFlip Document Base.
Search